From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Wed, 9 Mar 2011 22:11:21 +0100 Subject: [refpolicy] [PATCH 05/15] Allow mozilla/firefox to manage tempfiles Message-ID: <20110309211121.GA4682@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com To be able to launch firefox, firefox needs to use tmp files and sockets. Create a domain for firefox to work in. Use ubac_constrained as not to potentially leak info Signed-off-by: Sven Vermeulen --- policy/modules/apps/mozilla.te | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index 2a91fa8..c8c459c 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -33,6 +33,10 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_ files_tmpfs_file(mozilla_tmpfs_t) ubac_constrained(mozilla_tmpfs_t) +type mozilla_tmp_t; +files_tmp_file(mozilla_tmp_t) +ubac_contrained(mozilla_tmp_t) + ######################################## # # Local policy @@ -68,6 +72,10 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) +manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) +manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) +files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir } ) + kernel_read_kernel_sysctls(mozilla_t) kernel_read_network_state(mozilla_t) # Access /proc, sysctl @@ -142,6 +150,8 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) sysnet_dns_name_resolve(mozilla_t) userdom_use_user_ptys(mozilla_t) +userdom_manage_user_tmp_files(mozilla_t) +userdom_manage_user_tmp_sockets(mozilla_t) xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files(mozilla_t) -- 1.7.3.4